I'm having the exact same problem. A file called neois30.exe also keeps reappearing on my desktop. There's nothing weird running under my open processes, at least not that I can identify. Nothing obviously weird in my startups either (again, that I can identify, I'm by no means expert). Ran full, updated Ad-Aware and NAV scans.

Here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 2:07:49 PM, on 02/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\System32\wincrt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Palm\Hotsync.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gmail.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Critical Alert] "C:\WINDOWS\System32\wincrt.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1489CE17-E0F4-4042-AEB6-0FC03F4FC1A4}: Domain = win.ad.jhu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ad.jhu.edu,win.ad.jhu.edu,hosts.jhmi.edu,jhmi.edu,jhu.edu
O17 - HKLM\System\CS1\Services\Tcpip\..\{1489CE17-E0F4-4042-AEB6-0FC03F4FC1A4}: Domain = win.ad.jhu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ad.jhu.edu,win.ad.jhu.edu,hosts.jhmi.edu,jhmi.edu,jhu.edu
O17 - HKLM\System\CS2\Services\Tcpip\..\{1489CE17-E0F4-4042-AEB6-0FC03F4FC1A4}: Domain = win.ad.jhu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ad.jhu.edu,win.ad.jhu.edu,hosts.jhmi.edu,jhmi.edu,jhu.edu
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

-----------

Many thanks to anyone with any ideas! I'm surprised that I haven't been able to find any mention of this one anywhere. Maybe my Google-fu is weak.

Submit that file to
http://www.virustotal.com/en/indexx.html
and post the results here.

What can you tell me about the corporate symantec antivirus you have installled (what year and version, etc...)?

Program: 10.1.5.5010
Scan engine: 71.1.0.11

Well, VirusTotal found nothing in that file. I've taken a closer look at the page it keeps opening, Neospacelab.com -- it claims to be selling an antivirus program. The site is rife with spelling errors (although a decent effort). The domain was registered last month to a guy in Poland. Weird. I just wish I knew where this thing is so I can get it off.

Hello,Ninotchka & Welcome

Please do the same for this file here-->C:\WINDOWS\System32\wincrt.exe

---------------

Also

Open notepad and copy and paste next bold in it:

regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"
regedit /e peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder"
type peek1.txt >> startup.txt
type peek2.txt >> startup.txt
del peek*.txt
start notepad startup.txt

Save this as lookdisable.bat , choose to save as *all files and place it on your desktop.
This is how the batch must look after you created it:Click to view attachment
Doubleclick on lookdisable.bat and post the contents of it also in your next reply


Gogo

You're on to something! The scan of wincrt yielded:

AVG Generic3.ABC
CAT-QuickHeal (Suspicious) - DNAScan
F-Prot generic
NOD32v2 2074 probably unknown NewHeur_PE virus
Panda Adware/NeoSpace

I looked it up over at Panda, since Panda was the only one able to name it -- it was first posted on Feb 12, and as of now there's no removal suggestions... any ideas?


The results of lookdisable.bat:

--------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\drvsyskit]
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\drv_st_key]
"hkey"="HKCU"
"inimapping"="0"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

--------------------------

Thanks, I really appreciate the help.

ETA: Just happened again, allowing me to get a screenshot of the initial popup:



Don't know if that helps at all, but there it is!

Has anyone had any success getting rid of Neospace? Anyone? Anyone?

Hi,Ninotchka

I ask that when working with me give a chance to get back to you

Download The Avenger Copyright © Swandog46
You must extract avenger.exe to your desktop, before you run it.

CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!


Copy all the text contained in the code box below to your Clipboard.
NOTE: don't copy the word quote



The above script is for this user only, if you need help please start your own thread.

Start the Avenger.
Under "Script file to execute" choose "Input Script Manually".
Click on the Magnifying Glass icon which will open a new window titled "View/edit script".
Paste the entire text in into this window.
Click done, now click on the Green Light
Answer "Yes" twice when prompted.
Your computer shoud reboot, and briefly open a black command window on your desktop, this is normal.

After the restart, it will create a log file that should open.
This log file will be located at C:\avenger.txt

Paste the contents of C:\avenger.txt into your reply along with a fresh HijackThis! log.

Also: Avenger has made backups of all the files, etc., that you asked it to delete, located at C:\avenger\backup.zip.

----------------

Then come back here with a new HijackThis, logfile and feedback on how PC is doing.


Gogo

Greetings,

I hope I'm not intruding, but please see here for information on this threat...

http://www.castlecops.com/postlite181205-.html

Best Regards,
M_M

Okay, here are the logs...

--------
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kvedlybx

*******************

Script file located at: \??\C:\spuafadk.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\System32\wincrt.exe deleted successfully.


File C:\winmtlt.exe not found!
Deletion of file C:\winmtlt.exe failed!

Could not process line:
C:\winmtlt.exe
Status: 0xc0000034



File C:\winsxzx.exe not found!
Deletion of file C:\winsxzx.exe failed!

Could not process line:
C:\winsxzx.exe
Status: 0xc0000034



File C:\winrytw.exe not found!
Deletion of file C:\winrytw.exe failed!

Could not process line:
C:\winrytw.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

-----------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:17:25 PM, on 03/09/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Palm\Hotsync.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\sessmgr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gmail.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Critical Alert] "C:\WINDOWS\System32\wincrt.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1489CE17-E0F4-4042-AEB6-0FC03F4FC1A4}: Domain = win.ad.jhu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ad.jhu.edu,win.ad.jhu.edu,hosts.jhmi.edu,jhmi.edu,jhu.edu
O17 - HKLM\System\CS1\Services\Tcpip\..\{1489CE17-E0F4-4042-AEB6-0FC03F4FC1A4}: Domain = win.ad.jhu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ad.jhu.edu,win.ad.jhu.edu,hosts.jhmi.edu,jhmi.edu,jhu.edu
O17 - HKLM\System\CS2\Services\Tcpip\..\{1489CE17-E0F4-4042-AEB6-0FC03F4FC1A4}: Domain = win.ad.jhu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ad.jhu.edu,win.ad.jhu.edu,hosts.jhmi.edu,jhmi.edu,jhu.edu
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


------------
Incidentally, before I did this I updated Ad-Aware. It found and removed Neospace. The next day it started popping up again... I rain Ad-Adware again but this time it didn't find anything!

Thanks for any help you can give.